OpenClaw CVE-2026-42435: Shell Wrapper Vulnerability Allows Environment Variable Injection

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-184
OpenClaw CVE-2026-42435: Shell Wrapper Vulnerability Allows Environment Variable Injection

The National Vulnerability Database has detailed CVE-2026-42435, a high-severity vulnerability (CVSS 8.8) affecting OpenClaw versions from 2026.2.22 before 2026.4.12. This flaw stems from insufficient shell-wrapper detection, enabling attackers to inject environment variable assignments at the argv level. This isn’t just a minor bypass; it allows manipulation of critical shell variables like SHELLOPTS and PS4.

Attackers can exploit this to bypass exec preflight handling, fundamentally altering execution semantics and undermining security controls. The impact is significant: high confidentiality, integrity, and availability risk. This type of injection can lead to arbitrary code execution or privilege escalation if an attacker can control the input to an affected OpenClaw instance.

Defenders need to recognize that this isn’t about a bug in a specific application feature, but a weakness in how OpenClaw interacts with the underlying shell environment. This class of vulnerability is particularly dangerous because it subverts core system functions, making traditional application-level security controls less effective. Patching is critical, but also understanding the broader implications for systems that rely on robust shell execution integrity.

What This Means For You

  • If your organization uses OpenClaw, immediately identify all instances running versions between 2026.2.22 and 2026.4.12. Prioritize patching to version 2026.4.12 or later to mitigate CVE-2026-42435. Review any custom scripts or integrations that invoke OpenClaw to ensure no untrusted input can reach its argv, as this is the vector for environment variable injection.

Indicators of Compromise

IDTypeIndicator
CVE-2026-42435 Code Injection OpenClaw versions from 2026.2.22 before 2026.4.12
CVE-2026-42435 Code Injection Insufficient shell-wrapper detection vulnerability
CVE-2026-42435 Code Injection Injection of environment variable assignments at the argv level
CVE-2026-42435 Code Injection Manipulation of SHELLOPTS and PS4 shell variables

Written by SCW Vulnerability Desk

🔎
Track Critical Vulnerabilities Use /brief to get an analyst-ready weekly threat summary with severity rankings and key IOCs, including new CVEs like this.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 05, 2026 at 15:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

EFM ipTIME C200 Vulnerability: Remote Command Injection Exposed

CVE-2026-7833 — A weakness has been identified in EFM ipTIME C200 up to 1.092. This vulnerability affects the function sub_408F90 of the file /cgi/iux_set.cgi of...

vulnerabilityCVEhigh-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 2 IOCs /⚙ 3 Sigma

IObit Advanced SystemCare 19: High-Severity Symlink Following Vulnerability (CVE-2026-7832)

CVE-2026-7832 — A security flaw has been discovered in IObit Advanced SystemCare 19. This affects an unknown part of the file ASC.exe of the component...

vulnerabilityCVEhigh-severitycwe-59cwe-61
/SCW Vulnerability Desk /HIGH /7 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-30246 — Fiber is a web framework for Go. In

CVE-2026-30246 — Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the...

vulnerabilityCVEmedium-severitycwe-436
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 1 Sigma